Re: D Language Foundation October 2022 Quarterly Meeting Summary
On Fri, Nov 04, 2022 at 03:57:05PM +, Bastiaan Veelo via Digitalmars-d-announce wrote: > On Wednesday, 2 November 2022 at 18:20:42 UTC, H. S. Teoh wrote: > > On Wed, Nov 02, 2022 at 06:11:12PM +, M. M. via > > Digitalmars-d-announce wrote: > > > Thank you to Martin Nowak for all his as release manager. Happy to > > > hear that someone like Ian took over. > > > > I'm just curious why Martin stepped down. If he doesn't mind sharing > > the reason. > > From what I've heard, Martin started his own business, which takes up > all his time. > > Wishing you success, Martin! [...] +1, best wishes, Martin! T -- Obviously, some things aren't very obvious.
Re: D Language Foundation October 2022 Quarterly Meeting Summary
On Wednesday, 2 November 2022 at 18:20:42 UTC, H. S. Teoh wrote: On Wed, Nov 02, 2022 at 06:11:12PM +, M. M. via Digitalmars-d-announce wrote: Thank you to Martin Nowak for all his as release manager. Happy to hear that someone like Ian took over. I'm just curious why Martin stepped down. If he doesn't mind sharing the reason. From what I've heard, Martin started his own business, which takes up all his time. Wishing you success, Martin! -- Bastiaan.
Re: Release D 2.100.2
On Friday, 4 November 2022 at 14:14:43 UTC, Guillaume Piolat wrote: One could perhaps use a self-signed certificate that will allow to reuse that Authenticode reputation, I'm not sure. Now, to be very clear: there is a chance that even a non-CA certificate would accumulate trust, since according to MS: Application reputation for unsigned software is based on fingerprints while publisher reputation is based on signed software associated with a code signing certificate. It's not entirely clear that you absolutely require a real trustedd CA to get that reputation.
Re: Release D 2.100.2
On Friday, 4 November 2022 at 13:01:09 UTC, Iain Buclaw wrote: What does in a hardware token mean for us? Is it required to have it to hand every time we have to sign a beta, rc, final release binary? Does it bound us to a specific OS because of locked in proprietary tools? Unfortunately I don't know. In what way would it hamper the ability to sign built binaries on a virtual machine, in a remote server, behind a read-only console UI? Probably in a big way. Previously, I would just commit the .pfx//.p12, this will be soon impossible (granted, this lower security to commit the cert). This won't be possible, perhaps already is. The Certum "cloud" solution needs a desktop app AND a phone APP (Android/iPhone), and is unsuitable for CI. All this just for Windows code signing. My prediction is that in a few years Microsoft will stop this nightmare and do like Apple and you will just cloud-sign stuff with a microsoft.com account. This will be a lot better. THAT SAID Now, codesigning certificates do not preovide automatic warning removal. Every Windows program has an Authenticode score, having an EV just gets you a high score from the get go, but you still have reputation. So the only thing you buy is freedom from the warning pop-up and the user gets some safety. An OV gets no initial reputation, and the word on the street is that when you change cert every 3 years you must regain that reputation. One could perhaps use a self-signed certificate that will allow to reuse that Authenticode reputation, I'm not sure.
Re: Release D 2.100.2
On Friday, 4 November 2022 at 12:39:04 UTC, Guillaume Piolat wrote: On Friday, 4 November 2022 at 02:44:57 UTC, Iain Buclaw wrote: On Tuesday, 1 November 2022 at 21:56:39 UTC, Ruby The Roobster wrote: On Tuesday, 1 November 2022 at 19:57:11 UTC, JN wrote: Windows is showing SmartScreen warnings when trying to run the Windows installer. Also, the installed version reports as v2.100.2-dirty. The next few releases are unsigned as those with the keys cannot be contacted (or, that's from what I've heard.) Code signing certs have been expired for nearly two years now, and are no longer functional. It is not yet decided what this should be replaced with, granted that buying a cert now is both eye-wateringly more expensive compared to 2016, and appears to force you to have some form of 2FA - be it hardware token or cloud signing platform. Last time I had to do this: Basically you have Certum.pl which provides cloud-signing, this company responds quickly, getting a individual OV certificate takes about 2-3 days. "cloud" signing with needs a phone token, a phone app SimplySign, that last 15 minutes or so. If this can be distributed between a group of people - let's say six or more - that might be OK, but not exactly as seamless as, say, just trigger a GitHub runner pipeline an walk away. On the other hand, .p12/.pfx vendors are almost entirely COMODO/Sectigo now, it works offline, getting a certificate is more painful with them and will require a hardware token even for OV beginning this month. 0. It's less hassle not to do anything, but well we could have a supply-chain attack one day. 1. If cloud/simplysign workflow is OK, Certum may be less hassle. 2. Possibly safer / less problems in build to just get the EV from Sectigo in a hardware token. Especially if you commit the secret in CI. Since November signing will require hardware token or private key in cloud (2FA). What does in a hardware token mean for us? Is it required to have it to hand every time we have to sign a beta, rc, final release binary? Does it bound us to a specific OS because of locked in proprietary tools? In what way would it hamper the ability to sign built binaries on a virtual machine, in a remote server, behind a read-only console UI?
Re: Release D 2.100.2
On Friday, 4 November 2022 at 02:44:57 UTC, Iain Buclaw wrote: On Tuesday, 1 November 2022 at 21:56:39 UTC, Ruby The Roobster wrote: On Tuesday, 1 November 2022 at 19:57:11 UTC, JN wrote: Windows is showing SmartScreen warnings when trying to run the Windows installer. Also, the installed version reports as v2.100.2-dirty. The next few releases are unsigned as those with the keys cannot be contacted (or, that's from what I've heard.) Code signing certs have been expired for nearly two years now, and are no longer functional. It is not yet decided what this should be replaced with, granted that buying a cert now is both eye-wateringly more expensive compared to 2016, and appears to force you to have some form of 2FA - be it hardware token or cloud signing platform. Last time I had to do this: Basically you have Certum.pl which provides cloud-signing, this company responds quickly, getting a individual OV certificate takes about 2-3 days. "cloud" signing with needs a phone token, a phone app SimplySign, that last 15 minutes or so. On the other hand, .p12/.pfx vendors are almost entirely COMODO/Sectigo now, it works offline, getting a certificate is more painful with them and will require a hardware token even for OV beginning this month. 0. It's less hassle not to do anything, but well we could have a supply-chain attack one day. 1. If cloud/simplysign workflow is OK, Certum may be less hassle. 2. Possibly safer / less problems in build to just get the EV from Sectigo in a hardware token. Especially if you commit the secret in CI. Since November signing will require hardware token or private key in cloud (2FA).
